from:"Steve Chadsey"

Re: Verifying enabled ciphers?

2003-01-30 Thread Steve Chadsey

One more question regarding the SSLCipherSuite line.  Our security
auditor recommended that we change the line
  SSLCipherSuite HIGH:MEDIUM:!ADH
to
  SSLCipherSuite HIGH:MEDIUM:-ADH:-aNULL

What is the difference?  
  openssl ciphers -v 'HIGH:MEDIUM:!ADH'
and
  openssl ciphers -v 'HIGH:MEDIUM:-ADH:-aNULL'

both return the same cipher list.  Is there a practical difference
in the two directives?

Thanks,
-- 
Steve [EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Verifying enabled ciphers?

2003-01-27 Thread Steve Chadsey

On Fri, Jan 24, 2003 at 09:30:28AM -, [EMAIL PROTECTED] wrote:
 Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers.
 

OK.  I did that, and the only one I support is RC4 with MD5.  Strange, I
thought I would be able to support more.  Actually, to amend my previous
post, the ones I expected to see were:

EDH-RSA-DES-CBC3-SHA 
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-DSS-RC4-SHA
IDEA-CBC-SHA
RC4-SHA
RC4-MD5

since I have SSLv2 shut off.  Would the above list be further limited
by the type (RSA / DSA) key I have?  It is RSA.


 To unpack the terms:
  
 allows anonymous authentication - That sounds like allowing anyone to

I believe they mean Anonymous Diffie-Helman.  My SSLCipherSuite line
excludes those, so I think they're wrong here.

 allows cleartext communication - That's what you get on non-secured sites.
 If the data doesn't need to be secured, there's no issue.

I believe they are referring to the NULL-MD5 cipher.  I tested that
with s_client, and I can't connect ('handshake failure'), so I don't
believe I'm supporting that one either.

 
 supports weak encryption - Allows older browsers that have
 export-crippled security to connect. On the above Netcraft site, you'll
 see export version. The question for you is whether it is satisfactory to

Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according
to my SSLCipherSuite line.  

To follow up to Lutz, I tested all the ciphers with s_client against
my server.  The ones that I connected with were:

DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
IDEA-CBC-SHA
RC4-MD5
RC4-SHA

This is a shorter list than what I was expecting (at the top of
this message).

The following did not connect, giving me a 'handshake failure':
ADH-DES-CBC3-SHA 
ADH-DES-CBC-SHA
ADH-RC4-MD5
DES-CBC-SHA
DHE-DSS-RC4-SHA
EDH-DSS-DES-CBC3-SHA
EDH-DSS-DES-CBC-SHA
EDH-RSA-DES-CBC-SHA
EXP1024-DES-CBC-SHA
EXP1024-DHE-DSS-DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA
EXP1024-RC2-CBC-MD5
EXP1024-RC4-MD5
EXP1024-RC4-SHA
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

The following gave me 'illegal parameter':
DES-CBC3-MD5
DES-CBC-MD5
IDEA-CBC-MD5
RC2-CBC-MD5
RC4-64-MD5


Thanks,
-- 
Steve [EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Verifying enabled ciphers?

2003-01-23 Thread Steve Chadsey

How can I verify the ciphers enabled by my webserver?

The reason I ask is because I have been informed by a third-party
security auditor that my server allows anonymous authentication,
allows cleartext communication, and supports weak encryption.
I am unable to verify any of these claims on my own.

Here is my information
Apache: 1.3.27
mod_ssl: mod_ssl/2.8.12-1.3.27
openssl: openssl-0.9.6g
OS: Solaris 8

Here are my relevant SSL directives from httpd.conf:
SSLEngine on
SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2

According to 
  /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH'
the supported ciphers for my server are:
EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH   Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH   Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHASSLv3 Kx=RSA  Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5SSLv2 Kx=RSA  Au=RSA  Enc=3DES(168) Mac=MD5
DHE-DSS-RC4-SHA SSLv3 Kx=DH   Au=DSS  Enc=RC4(128)  Mac=SHA1
IDEA-CBC-SHASSLv3 Kx=RSA  Au=RSA  Enc=IDEA(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA  Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA  Au=RSA  Enc=RC4(128)  Mac=MD5
IDEA-CBC-MD5SSLv2 Kx=RSA  Au=RSA  Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA  Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-MD5 SSLv2 Kx=RSA  Au=RSA  Enc=RC4(128)  Mac=MD5

But apparently I am also supporting:
ADH-DES-CBC-SHA
DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
EDH-RSA-DES-CBC-SHA
EXP1024-DES-CBC-SHA
EXP1024-DHE-DSS-DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA
EXP1024-RC2-CBC-MD5
EXP1024-RC4-MD5
EXP1024-RC4-SHA
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
NULL-MD5
NULL-SHA

Is the security auditor full of it?  How can I verify their results
from an external machine (they've scanned the network from an
external box)?

Thanks,
-- 
Steve Chadsey [EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Verifying enabled ciphers?

Re: Verifying enabled ciphers?

Verifying enabled ciphers?

3 matches

Site Navigation

Mail list logo

Footer information